WEBINAR:On-Demand

Want to uncover security flaws in your product before the bad guys do? Just put a big pile of money on the table.

Security researchers collected over $60,000 in prize money on Wednesday for reporting new zero-day flaws in Google's Chrome web browser at the Pwn2Own and Pwnium security challenges held during the CanSecWest conference.

Google's Chrome browser survived the gauntlet of hacker challenges at the Pwn2Own hacking challenge in 2011, but this year it was the first to fall -- and it took less than 5 minutes to do it. The Pwn2Own Chrome exploit was popped by security research group VUPEN.

"Google Chrome is the first browser to fall at #pwn2own 2012, we pwned it using an exploit bypassing DEP/ASLR and the sandbox!" VUPEN wrote in a tweet yesterday afternoon.

DEP (Data Execution Prevention) is a security technology that is intended to help keep code that has been loaded into non-executable memory locations from being allowed to execute. ASLR (Address Space Layout Randmonization) is a similar kind of idea as a technology that attempts to make it more difficult for non-allocated memory to be used as a launch pad for attack. Both DEP and ASLR have been attacked and defeated at Pwn2Own as far back as 2009.

For its part, Google mocked the Pwn2Own VUPEN win as being just a Flash bug. Chrome is the only web browser that directly integrates Flash into the browser.

"Meh, you bring Flash in play and no one stands a chance," wrote Justin Schuh, Google Chrome security manager, in a tweet this morning. Schuh also reached out to VUPEN to offer this assessment: "Not to undermine the win, btw. Just saying we know what kind of bug it will be when ZDI eventually hands it over."

Under the terms of the Pwn2Own event, contest organizer HP TippingPoint's ZDI (Zero Day Initiative) will disclose the actual bug to Google, but not the bypass technique. The controversy over what is and what isn't disclosed at Pwn2Own is the reason why Google pulled out of Pwn2own event this year, choosing instead to run their own Pwnium challenge as a rival event -- at the same conference, and at the same exact time. The Pwn2Own event was restructured this year, adopting a points system to determine the overall winner. The top point scorer will win $60,000, second place will be awarded $30,000, and third place gets $15,000.

$60,000 Reward for Sandbox Exploit at Pwnium

Google Chrome has a process sandbox that isolates browser processes from the operating system, providing a degree of protection against operating system flaws. Chrome's sandbox has never been publicly exploited in a Pwn2Own event -- but at the Google-sponsored Pwnium contest yesterday, well-known security researcher Sergey Galzunov demonstrated an exploit against Chrome and its sandbox to win the single biggest security award ever publicly issued.

"Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry, qualifying for a $60k reward," wrote Sundar Pichai, Senior Vice President of Chrome at Google, in a tweet.

Previously, the single biggest award offered by Google for Chrome was a special $10,000 award that was attached to the recent Chrome 17.0.963.65 update. That update was somewhat unique as it was the first Chrome update in months that didn't have any flaws that were reported by Glazunov.

"This explains the lack of bug reports from Sergey Glazunov," researcher Michel 'miaubiz' Aubizziere tweeted. Aubizziere is one of the three researchers who were given the $10,000 special award for the Chrome 17.0.963.65 release.